Define "not overly big on math". If you decide to major in CS, you will probably need to take 2-3 semesters of calculus and possibly 1-2 other math courses such as statistics, discrete math and/or linear algebra. If you struggle in math courses or haven't taken anything beyond introductory algebra, you should probably look to major in something else.

Either a CS or IT degree can help you to develop some of the skills you need, but neither will directly prepare you to be a penetration tester. CS is very heavy on theory (algorithms, computation, languages) and will also cover OS internals, organization and architecture. Most of this is not directly applicable but this knowledge will provide you with the background that you need to go wherever you want. You won't have trouble learning a new scripting language, developing shellcode or building tools.

An IT degree is more practical and may even include a course on penetration testing (mine did), but it's not as technical as a CS degree and won't give you the same ability to dive deep into technical problems. My IT degree program (at Capella) was pretty heavy on policy, procedure, standards, frameworks, etc. It introduced many technical areas (e.g. forensics, penetration testing, application security) but the coverage was only survey-level and not sufficient to make one employable in any of those areas.

If you can handle the math, I recommend getting a CS degree, possibly with a minor in Business Administration. Study security and penetration testing on your own while you complete school. If you can work part-time in any area of IT while you complete school, even at a help desk, do so. If you don't want to do the math, do the IT degree.

I decided to do the IT degree because I'm already in management and hope to move further up the ranks. I was already pretty technical and wanted to learn more about policy, procedure, etc. I also hate math classes (but love math).

I am 35 and haven't touched math for nearly 17 years. I am working full time in more of a communications role, but have got some basic IT skills, some personal progamming experience, etc. It would take probably a good six months minimum for me to get up to the required math level for a CS degree (I believe). It just means I would have to concentrate on that one area for a while, before commencing/attempting the degree. I do not believe I would have any serious issue with any other unit of a CS degree, other than the math.

If I took the Bachelor of IT, (I am hoping to do a Diploma of German on the side), at least I could do some other, more specific pen testing stuff on my own. e.g. HackingDojo/elearnsecurity etc.

I just can't really justify to myself that it is worth investing so much time into learning math again, if it will only serve a small (?) part of my future direction.

I am till enrolled currently in a bridging course to (hopefully) bring me up to a uni level math knowledge. Maybe I should just complete that first, and see how I feel next year.